generated from coulomb/repo-seed
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
147
sso-mfa/k8s/authelia/deployment.yaml
Normal file
147
sso-mfa/k8s/authelia/deployment.yaml
Normal file
@@ -0,0 +1,147 @@
|
||||
# Deployment + Service — Authelia (namespace: sso)
|
||||
#
|
||||
# Authelia is the authentication frontend: it handles username/password entry
|
||||
# and redirects back to KeyCape with an authorization code. KeyCape then
|
||||
# invokes the privacyIDEA adapter to perform the MFA step.
|
||||
#
|
||||
# Prerequisites (apply in order):
|
||||
# 1. pvc.yaml — authelia-data PVC
|
||||
# 2. configmap.yaml — authelia-config ConfigMap
|
||||
# 3. create-secrets.sh — authelia-secrets (JWT, session, storage, LDAP, OIDC keys)
|
||||
# 4. This file
|
||||
# 5. ingress.yaml
|
||||
#
|
||||
# Sensitive values are passed as *_FILE env vars pointing to Secret-mounted files.
|
||||
# See configmap.yaml for the full list of injected secrets.
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: authelia
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: authelia
|
||||
strategy:
|
||||
type: Recreate # single replica; SQLite cannot be accessed concurrently
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: authelia
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 8000 # authelia default user
|
||||
fsGroup: 8000
|
||||
|
||||
containers:
|
||||
- name: authelia
|
||||
# Pin to a specific 4.x release. Check https://hub.docker.com/r/authelia/authelia
|
||||
image: authelia/authelia:4.38
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9091
|
||||
protocol: TCP
|
||||
|
||||
# ── Secret file paths — Authelia reads *_FILE env vars ──────────
|
||||
env:
|
||||
- name: AUTHELIA_JWT_SECRET_FILE
|
||||
value: /run/secrets/authelia/jwt_secret
|
||||
- name: AUTHELIA_SESSION_SECRET_FILE
|
||||
value: /run/secrets/authelia/session_secret
|
||||
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
||||
value: /run/secrets/authelia/storage_encryption_key
|
||||
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
||||
value: /run/secrets/authelia/ldap_password
|
||||
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
||||
value: /run/secrets/authelia/oidc_hmac_secret
|
||||
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
||||
value: /run/secrets/authelia/oidc_issuer_private_key
|
||||
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
|
||||
value: /run/secrets/authelia/keycape_client_secret_hash
|
||||
|
||||
volumeMounts:
|
||||
# Config from ConfigMap
|
||||
- name: config
|
||||
mountPath: /config/configuration.yml
|
||||
subPath: configuration.yml
|
||||
readOnly: true
|
||||
# Secrets as files
|
||||
- name: secrets
|
||||
mountPath: /run/secrets/authelia
|
||||
readOnly: true
|
||||
# Writable data (SQLite DB + notification log)
|
||||
- name: data
|
||||
mountPath: /var/authelia/data
|
||||
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /api/health
|
||||
port: 9091
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
failureThreshold: 18 # 18 × 5s = 90s for initial LDAP connection
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /api/health
|
||||
port: 9091
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 15
|
||||
failureThreshold: 3
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /api/health
|
||||
port: 9091
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 10
|
||||
failureThreshold: 3
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: "50m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "500m"
|
||||
memory: "256Mi"
|
||||
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: authelia-config
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: authelia-secrets
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: authelia-data
|
||||
|
||||
---
|
||||
# Service — ClusterIP; Traefik and KeyCape reach Authelia via port 9091.
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: authelia
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app.kubernetes.io/name: authelia
|
||||
ports:
|
||||
- name: http
|
||||
port: 9091
|
||||
targetPort: 9091
|
||||
protocol: TCP
|
||||
Reference in New Issue
Block a user